2 WHAT IS CLOUD COMPUTING? The federal government defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Peter Nell and Timothy Grance, The National Institute of Standards and Technology Definition of Cloud Computing (NIST), Special Publication (September 2011). The NIST definition describes five essential characteristics of the cloud are: (1) on-demand self-service; (2) broad network access through mobile phones, tablets, laptops, and workstations; (3) resource pooling to serve multiple consumers; (4) rapid elasticity to meet demand; and (5) measured service. More simply, cloud computing is the use, transmission, and storage of information through applications and services offered over the Internet and hosted by third-party organizations. In cloud computing, internet-based computer resources are shared rather than using local servers or devices. Examples of cloud services are Dropbox, Yahoo, Google Docs, Google Apps Education, ClassLink, Net Trekker, and inbloom. ADVANTAGES AND DISADVANTAGES OF CLOUD COMPUTING. A school district may want to use cloud computing to reduce costs. A school district using cloud computing can reduce the costs of purchasing hardware and software to process and store information and can also reduce its IT maintenance costs. A school district can also save money by using cloud computing because it only pays for the actual storage and processing time it uses. Cloud Computing Issues For Schools, Inquiry & Analysis (September 2011), at 5. Cloud computing also allows a school district the flexibility to access information from any Internet connection and location and to process information on platforms that may not be compatible with the school district s software. Id. Cloud computing can also increase the efficiency of managing student records and increase learning opportunities. However, by using and storing its data on the cloud provider s server, the school district loses control of the data and the security measures to protect against unauthorized access to its data. The school district also permits its data to be accessed by the cloud provider. Another disadvantage is the potential loss of data or access to it if the cloud provider is off-line. DOES THE LAW PERMIT A SCHOOL DISTRICT TO USE CLOUD COMPUTING? Neither federal nor state law prohibit a school district from using cloud computing. A school district can use cloud computing to transmit and store education data including student records. However, the use of cloud computing does not negate the school district s obligations to protect the confidentiality of information. The United States Department of Education noted in its comments to the 2011 amendments to the Family Educational Rights and Privacy Act (FERPA) regulations: 1

3 The Department has not yet issued any official guidance on cloud computing, as this is an emerging field. We note, however, that the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII [personally identifiable information] from education records, regardless of where the data are hosted. Family Educational Rights and Privacy, 76 Federal Register 75604, (2011). The United States Department of Education has stated that a school district that uses cloud computing to outsource its information technology services must comply with the FERPA requirements for disclosure of personally identifiable information to third party contractors in 34 CFR 99.31(a)(1)(i) of the FERPA regulations. 34 CFR 99.31(a)(1)(i) establishes three requirements for outsourcing technology services: 1. The outside party must perform an institutional service or function for which the school district would otherwise use employees; 2. The outside party must be under the school district s control with respect to the use and maintenance of education records; and 3. The outside party is subject to the requirements of 34 CFR 99.33(a) governing the use and redisclosure of personally identifiable information. The direct control requirement as it applies to outsourcing technology services requires: Schools outsourcing information technology services, such as web-based and e- mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information. Family Educational Rights and Privacy, 73 Federal Register 74806, (2008). FERPA does not explicitly require that education data be stored within the United States. Privacy Technical Assistance Center, Frequently Asked Questions, Cloud Computing, (2012) at 5. However, the best practice is to store the information in the United States. Otherwise, the school district will not be able to comply with the direct control requirement because it may not be able to hold the foreign cloud provider legally accountable for protecting the confidentiality of personally identifiable information from education records. Id., pp. 5 and 6. A school district that outsources its information technology services should amend its FERPA policy to include outsourcing technology service providers as school officials. 2

4 FACTORS A SCHOOL DISTRICT SHOULD CONSIDER IN DECIDING TO USE CLOUD COMPUTING. Before deciding to use cloud computing, the United States Department of Education suggests that a school district answer certain questions about the security, privacy, legal, and compliance issues of using cloud computing. 1 Those questions are: 1. Does the cloud solution offer equal or greater data security capabilities than those provided by the school district s data center? 2. Has the school district taken into account the vulnerabilities of the cloud solution? 3. Has the school district considered that incident detection and response can be more complicated in a cloud-based environment? 4. Has the school district considered metrics collection, and system performance and security monitoring are more difficult in the cloud? 5. How will the school district exercise control over the data within the cloud to ensure that the data are available and that confidentiality and integrity of the data remain protected? 6. Are there appropriate access and use controls in place to provide proper level of accountability? 7. Are there any concerns regarding screening and monitoring of contractor staff and their activities? 8. Has the school district evaluated potential legal concerns associated with outsourcing data management to a cloud provider? For example, the school district must have a way to get the data back in a secure and timely manner in case a cloud provider goes out of business. 9. Has the school district considered what measures it will need to implement to ensure that the cloud provider complies with all applicable federal, state, and local privacy laws, including FERPA? For example, has the school district made sure that storing data on the cloud does not interfere with its ability to provide parents 1 The United States Department of Education has established a Privacy Technical Assistance Center (PTAC) as a resource for school districts. PTAC information can be accessed at The questions are derived from PTAC Frequently Asked Questions -- Cloud Computing (June 2012). 3

5 and eligible students with access to their education records should they choose to exercise their FERPA right to inspect and review them? The school district will also need to comply with the requirements of the Children s Online Privacy Protection Act (COPPA) (15 U.S.C ); the Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. 1232h); the Children s Internet Protection ACT (CIPA) (47 U.S.C. 254); and the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 300gg; 29 U.S.C et seq., 42 U.S.C. 1320d et seq.). COPPA is a federal law that requires that websites obtain parental consent before collecting personal information from children under 13 years of age who use or visit the site. PPRA requires written parental consent before minor students are required to participate in certain surveys, analyses, or evaluations which seek to collect personal information from students. CIPA requires school districts to use filters to block access to obscene information, child pornography, or other information harmful to minors. HIPAA requires covered entities to protect the use and disclosure of protected health information. 10. Has the school district evaluated its existing protections to establish a baseline level of protection with which to evaluate potential benefits and risks associated with moving to a cloud-based alternative? 11. Will the school district s insurer or risk pool provide coverage to protect the school district against risks posed by cloud computing? SELECTING A CLOUD COMPUTING PROVIDER 2 A school district must take reasonable steps to ensure the security of its information and data in the cloud. The United States Department of Education recognizes that no system for maintaining and transmitting education records, whether in paper or electronic form can be guaranteed safe from every hacker and thief, technological failure, violation of administrative rules, and other causes of unauthorized access and disclosure.... The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable. 73 Federal Register at Most of the questions are from the New Hampshire Bar Association s Ethics Committee Advisory Opinion # /4 The Use Of Cloud Computing In The Practice Of Law And Creating Effective Cloud Computing Contracts For The Federal Government, Best Practices For Acquiring IT As A Service (February 24, 2012). 4

6 Simply selecting a provider without knowing anything about the provider s location data storage practices, and security measures does not fulfill the school district s responsibilities. Reasonable steps require that the school district pose certain questions to the potential cloud provider. The questions that the school district should ask the provider in writing are: 1. Is the provider a reputable organization? How long has the provider been in business? What are its history, financial resources, and strategy? Does the provider have experience in dealing with regulated information? 2. Where are the provider s servers located and what are the privacy laws in effect at that location regarding unauthorized access, retrieval, and destruction of compromised data? If the servers are located in a foreign country, do the privacy laws of that country reasonably mirror those of the United States? If the servers are relocated, will the provider notify the school district in advance? Can the provider certify where the data is located at any one point in time? 3. Does the provider offer robust security measures such as, at a minimum, password protections or other verification procedures limiting access to the data; safeguards such as data back-up and restoration, a firewall, or encryption; periodic audits by third parties of the provider s security; and notification procedures in case of a breach? 4. Who has access to the school district s data, both in its live and backup state? 5. Is the data stored in a format that renders it retrievable as well as secure? Is it stored in a proprietary format and is it promptly and reasonably retrievable by the school district to respond to Right-To-Know Law requests, litigation needs, or parental requests for education records? Is metadata preserved? 6. Does the provider allow the school district to destroy all copies or renditions of records from the cloud when appropriate? 7. Does the provider allow the school district to implement record retention policies and schedules across categories of records and to retain the integrity of the files for the duration of the school district s records retention schedule? 8. Does the provider commingle data belonging to different clients such that retrieval may result in inadvertent disclosure? Does the provider segregate data for each client? 9. Does the provider own the data stored in the cloud? 5

7 10. Does the provider have an enforceable obligation to keep the data confidential? 11. Does the provider subcontract with excess capacity providers? 12. What will happen to the data when the agreement between the school district and provider is terminated? 13. Will data be destroyed or compromised in case of nonpayment? Will any or all of the data be retained by the provider, and if so, where and for how long? 14. Do the terms of service obligate the provider to warn the school district if information is being subpoenaed by a third party, where the law permits such notice? 15. What is the provider s disaster recovery plan with respect to stored data? Is a copy of the digital data stored on-site? 16. Does the provider mine or allow third parties to mine the school district s data? 17. How can the school district access the data if there is an Internet access failure? CONTINUING OBLIGATIONS EVEN AFTER SELECTING A CLOUD PROVIDER The school district s obligation to protect the security of information and data in the cloud does not cease when a cloud provider is selected. The school district must periodically review the performance of its cloud provider and its security systems, location, and practices. The school district should review its cloud provider and its services to determine whether it is keeping current with changes in technology and the law. 6

2015 NMSBA SCHOOL LAW CONFERENCE NETWORK SECURITY, DISTRICT POLICIES ON INTERNET USE, AND THE LAW Andrew M. Sanchez David A. Richter Cuddy & McCarthy, LLP 1 FEDERAL LAWS The Family Educational Rights and

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

Acceptable Use Policy I. Introduction Each employee, student or non-student user of Greenville County Schools (GCS) information system is expected to be familiar with and follow the expectations and requirements

PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key

HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly

Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:

A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process

COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, Information Integrity Solutions Legalwise Seminars Sydney, 20 March 2013 About IIS Building trust and privacy through global

Page 1 of 5 K-20 Network Acceptable Use Guidelines/Internet Safety Requirements These procedures are written to support the Electronic Resources Policy of the board of directors and to promote positive

Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

Rackspace Archiving Compliance Overview Freedom Information Act Sunshine Laws The federal government and nearly all state governments have established Open Records laws. The purpose of these laws is to

5450F1 (page 1 of 6) Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule) THIS AGREEMENT is entered into on this day of, 20 by and between